1. Field of the Invention
The present invention relates to packet communication systems, and particularly to a packet communication system that performs packet communication by using a mobile virtual private network (VPN).
2. Description of the Related Art
In Internet Protocol (IP) communication, an IP address is assigned to each terminal. When a terminal is moved to a different network, a different IP address is assigned thereto, and the terminal cannot continue communication performed before the movement. Mobile IP has been developed as a technology that allows IP communication to be continued even if a terminal is moved to a different network.
The mobile IP is a technology that conceals from layers higher than the IP layer the fact that a terminal has been moved and shows the terminal to the communication destination as if the terminal were not moved to allow the movement while the communication is being performed with the destination. Mobile IPs that support movement in the IP layer includes Mobile IPv4 and Mobile IPv6.
As the mobile IP has advanced, a demand for more convenient remote access has been increasing. To satisfy the demand, a virtual private network (VPN) technology has been implemented. VPNs are private communication networks virtually configured by connecting points through public networks such as the Internet, and allow communications with private IP addresses.
IP addresses in the Internet for packets are divided into two types: global IP addresses unique in the world and private IP addresses used in private networks shared in companies and homes.
To enable communication in the Internet, both parties need to have global IP addresses. Usually in companies, however, global IP addresses are assigned to a minimum number of units, such as a router and a web server, and private IP addresses are used in an in-house LAN.
Therefore, it is usually impossible to access a terminal on an in-house LAN through the Internet from a point outside the LAN, but since VPNs allow communication to be made between terminals having private IP addresses, communication can be made between intranets as if they were in the same private network, and remote access can be implemented from a house or from the destination of a business trip to the in-house LAN.
Unlike leased lines, VPNs have risks of sniffing (reading the content of data furtively), tampering (altering the content of data), and impersonation (a third party pretending to be an authorized user to be active on a network) and other risks because communication is made through networks having low security levels, (in the case of Internet VPNs, because communication is made through the Internet, which has a low security level). Security is one of the most important issues. VPNs use encrypted communication called an IP security architecture (IPsec) to avoid the risks.
IPsec provides IP packets themselves with concealment, and performs access control with packet information guaranteed, to implement a high security level in units of IP packets, not for a specific application. IPsec can protect various applications without any needs to provide a security function unique to each application, unlike Pretty Good Privacy (PGP) for email communication and Secure Socket Layer (SSL) for WWW communication.
Applications that use higher protocols such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) can use IPsec without being aware of its use and can maintain the same security level as for leased lines, at a low cost.
As described above, Mobile IP provides mobility with which one IP address can be accessed from anywhere on IP networks, and VPNs with IPsec allow mutual communication to be performed at a high security level.
Recently, a mobile VPN technology has been researched and developed, in which Mobile IP and a VPN are combined to provide both mobility and a high security level. In a mobile VPN, Mobile IP is registered as a terminal is moved, and the VPN is updated at the same time. This technology attracts attention as a core technology of remote access systems in the ubiquitous era.
First, mobile VPNs had technical issues such as a relationship with network address translation (NAT) and satisfaction of both security matching and seamless communication at handover. These issues have been being solved by technical specifications such as RFC 3456, RFC 3947, RFC 3948, and draft-ietf-mip4-vpn-problem-solution-01 of Internet Engineering Task Force (IETF).
As a conventional technology related to mobile VPNs, a network technology in which a relay apparatus holds a routing table for searching the header for the destination address to accommodate a radio terminal has been proposed (for example, see paragraph Nos. [0027] to [0048] and FIG. 1 in Japanese Unexamined Patent Application Publication No. 2005-86223).
In a conventional mobile VPN system (for example, in a system indicated by the above draft-ietf-mip4-vpn-problem-solution-01), however, packet capsulation (a distribution header is added to a packet to capsulate the packet) transmission caused by Mobile IP and further capsulation caused by IPsec in tunnel mode when the VPN is configured trebly capsulate an IP packet to make the data size larger and make the network bandwidth tight.
The conventional problems will be described below in detail. First, an outline operation of Mobile IP, which is the base of a mobile VPN, will be described, and then the problems of the conventional VPN will be specifically explained.
FIG. 30 shows an example structure of a Mobile-IP network. FIG. 31A indicates the format of a packet sent from a mobile node, and FIG. 31B indicates the format of a packet sent from a home agent.
In the Mobile-IP network, a home network 51, a visitor-location network 52, and a communication terminal 6 are connected through the Internet 53.
A mobile node MN (MN: mobile node) usually belongs to the home network 51, and has a fixed IP address called a home address (HoA). In the home network 51, a home agent 5 for managing the position of the mobile node MN is disposed.
It is assumed here that the IP address of the home agent 5 is HA (home agent), and the IP address of the communication terminal 6, which is a fixed unit, is CN (CN: correspondent node).
Step S51: The mobile node MN moves from the home network 51 to the visitor-location network 52 to change the connection destination.
Step S52: The mobile node MN obtains a temporary IP address used in the movement-destination network by using Dynamic Host Configuration Protocol (DHCP: protocol that automatically assigns necessary information such as an IP address to a computer temporarily connecting to the Internet) or the like. This temporary IP address is called a care-of address (CoA).
Step S53: The mobile node MN sends a position registration message that associates HoA and CoA, to the home agent 5.
Step S54: The home agent 5 receives the position registration message and registers the position with the relationship between HoA and CoA being held.
Step S55: When the mobile node MN sends a packet to the communication terminal 6, the mobile node MN generates a packet p1 having a header in which the destination is set to CN and the transmission source is set to HoA, as shown in FIG. 31A. Since the packet is sent through the home agent 5, the mobile node MN adds an IP header in which the destination is set to HA and the transmission source is set to CoA to the original packet p1 to generate a packet p1c, as shown in FIG. 31A, and sends the packet p1c to the home agent 5.
Step S56: The home agent 5 receives the packet p1c and decapsulate it to take out the packet p1. Since it is understood from the header information of the packet p1 that the destination is CN, the home agent 5 sends the packet p1 to the communication terminal 6.
Step S57: When the communication terminal 6 sends a packet to the mobile node MN, the communication terminal 6 generates a packet p2 having a header in which the destination is set to HoA and the transmission source is set to CN, as shown in FIG. 31B, and sends it to the Internet 53.
Step S58: The home agent 5 intercepts the packet p2 to be sent to the mobile node MN (destination HoA), and recognizes CoA, held at position registration, from HoA. The home agent 5 adds a header in which the destination is set to CoA and the transmission source is set to HA to the packet p2 to generate a packet p2c, as shown in FIG. 31B, and sends the packet p2c to the mobile node MN through the Internet 53.
Step S59: The mobile node MN receives the packet p2c, and decapsulates it to take out the packet p2.
As described above, since the home agent 5 holds the relationship between HoA and CoA and performs proxy reception of a packet sent to the mobile node MN, the communication terminal 6 can send a packet always to HoA without being aware of the movement of the mobile node MN. The mobile node MN can receive the packet even at the movement destination.
A general specification of Mobile IPv4 defines a system where the visitor-location network 52 serves as a foreign network, a foreign agent is disposed in the foreign network, and the foreign agent assigns CoAs to a plurality of mobile nodes MN and decapsulates a packet sent to a mobile node MN. When the functions of the foreign agent are provided for a mobile node MN, a network which does not need to have a special node such as the foreign agent can be configured (in Mobile IPv6, the foreign agent is unnecessary). In the above description, DHCP is used to obtain CoA. When a mobile node MN itself has an automatic address generation function, a unit having a special protocol such as DHCP is also unnecessary.
The structure of a mobile VPN will be described next. FIG. 32 shows an example structure of a mobile VPN. FIG. 33A and FIG. 33B show packet formats used in the mobile VPN. The mobile VPN differs from the Mobile-IP network described above with reference to FIG. 30 in that the mobile VPN further includes a VPN gateway 7 and a mobile node MN has the IPsec function.
The VPN gateway 7 is a termination unit disposed at a point where encryption is made in a communication path, for generating a state in which a connection is made by a virtual private line, that is, a VPN. In the figure, the VPN gateway 7 is disposed between a home agent 5 and the Internet 53 to make a VPN serving as a encryption communication path between a mobile node MN and the VPN gateway 7 to implement safe communications even in the Internet.
When such a VPN is configured, encryption tunneling is performed in which a new header is added to a packet to be protected to generate another packet and the whole of the other packet serving as a communication target is protected to allow communication between networks having different protocols or address systems.
When the mobile node MN sends a packet, a packet p1c is encrypted; the whole of the encrypted packet p1c is capsulated, for example, with an encapsulating security payload (ESP) header; and a new IP header for tunnel communication is added to generate and send a packet p1s shown in FIG. 33A. In the new IP header for tunnel communication, the destination is set to the IP address of the VPN gateway 7 and the transmission source is set to a PHY address (physical address in the visitor-location network 52).
When the VPN gateway 7 sends a packet, a packet p2c is encrypted; the whole of the encrypted packet p2c is capsulated, for example, with an ESP header; and a new IP header for tunnel communication is added to generate and send a packet p2s shown in FIG. 33B. In the new IP header for tunnel communication, the destination is set to the PHY address and the transmission source is set to the IP address of the VPN gateway 7.
As described above, since the original IP packet is capsulated by Mobile IP with an IP header being added, and further capsulated by IPsec tunneling, the packet format of a conventional mobile VPN has triple capsulation.
Because redundant IP headers are added, the size of data to be actually exchanged between the networks becomes larger than the size of the original data which the users want to exchange, causing the network bandwidth tight.
Especially since radio LAN networks typical of which is IEEE 802.11b, which is generally used currently, and portable telephone networks such as wide code division multiple access (W-CDMA) have narrow network bandwidths, when IP headers are multiplexed to make the size of an IP packet to be exchanged large, a very large load is imposed on the networks to reduce network operability.